We've found ourselves in conversation with organizations that feel confident they are immune to B2B payment fraud because they have a strong bank account validation process protecting their payments. Bank account validation and validation are very useful, and it makes sense that the process would be considered a reliable method of confirming individual and business accounts. Unfortunately, we’ve seen several cases where companies have inadvertently sent payments to a fraudulent account even though the account was verified by the bank. As scary as it sounds, bank account validation isn't as dependable as it may seem when it comes to securing business payments.
Bank account validation is a process that confirms the accuracy and legitimacy of a bank account. It is commonly used by businesses and financial institutions for various purposes, such as verifying that an account exists and is active before initiating electronic payments, direct deposits, or wire transfers. By confirming that the provided bank account details are correct, bank account validation helps to safeguard the integrity of financial transactions and streamline the flow of funds. This practice plays a role in mitigating the risk of errors, fraud, and financial losses that can occur.
A bank account validation process typically involves confirming several key pieces of information about a bank account, including the name on the account, the account number, and the routing number of the bank. An account validation process in many cases can reveal a bad actor attempting to steal funds because the information won’t match up between the real vendor and the fraudster. If the information on the account doesn’t match the real vendor, then the validation process will catch it. It’s simple, right?
In theory, a reliable bank account validation method should give businesses confidence that their funds are going to or coming from a legitimate bank account that belongs to a confirmed and verified individual or entity. But that is not always the reality.
Unfortunately bank account validation will only prove that the account exists and belongs to the person, company or entity whose name is on the account. But fraudsters are savvy and they know how to steal information and create and use bank accounts that are completely legitimate.
Consider the following scenario: an attacker hijacks an email conversation of someone on the finance team at a vendor company. Through this business email compromise (BEC) attack, the threat actor can now access all sorts of financial documents that are contained in past emails. Armed with this information, the attacker opens a new bank account for this same vendor at the same bank that the vendor already uses. Because the fraudster uses all the correct information to open the account, any account validation process will show that it is a legitimate account and won’t raise any red flags. As far as the bank is concerned, everything looks normal and aboveboard. The only difference is that the vendor doesn’t know that a new bank account exists in their name, and that this new bank account will be used to divert payments meant to go to them.
In this scenario, the bad actor now has a new, fully verified bank account in the vendor company’s name that only they have access to. From here, the attacker can reach out to clients of the vendor company, submit fake invoices, and request a change to their bank account number so that the company sends funds to the new mule account. Once the fraudster has successfully received the money, they will then forward along these funds to any number of other bank accounts they have access to and steal the money.
While in the scenario above our fraudster created a mule account at the same bank as the vendor, they could also do the same at a different bank and still go undetected. Even in this case, bank account validation still won’t identify the new account as fraudulent if all the information used to open the account is legitimate. Here the bad actor is also taking advantage of the fact that there exists no database that verifies accounts across different banks. Banks only verify the information they have access to, and they wouldn’t have the visibility to see if multiple accounts were opened at different banks that might look suspicious.
Bank account validation is only one line of defense to protect an organization against fraud. To receive full protection on B2B payments, a more robust approach to fraud detection is required. Businesses need a tool that can connect all the dots across the payment process and see what's really going on. Even if the fraudster is able to create a bank account that passes validation, there are other points where they can be stopped as they execute their attack.
A platform like Trustmi can detect all the anomalies and suspicious signals within a fraud scheme to stop payments from going to the wrong place. Our platform protects the entire payment process and looks at additional factors and data that reveals when fraud is afoot. For example, our platform identifies fake vendor invoices and analyzes email communications to flag BEC attacks, social engineering, or executive impersonation, among other fraud detection capabilities.
Traditional bank account validation can and should still play a role to protect against fraud, and it is part of our offering. Our approach to bank account validation gives vendors a secure way to directly connect to their bank accounts and enter their information easily during onboarding and offers a penny drop validation capability. But our platform enhances the traditional approach by offering advanced validation controls, including our new call-back procedure, Trustmi Certify, that saves time and effort. Our solution also adds an extra layer of protection provided by our unique Trust Network. Companies that join our Trust Network become fully verified so that if a fraudster opens a new bank account and requests changes to the vendor's banking information, the network analyzes this activity to identify if this is an isolated incident of impersonation versus a real account change request the vendor is making to all its clients.
When it comes to a process as complicated and vulnerable as vendor payments, businesses shouldn’t only rely on bank account validation to ensure their funds go to the right place. Creating a legitimate looking mule account is easy to do for fraudsters, and unfortunately a bank validation process is not 100% foolproof.